On Thu, 5 Feb 2026 at 10:05, Richard Purdie via lists.openembedded.org <[email protected]> wrote:
> * the more process we put around it, particularly if we start insisting > on it, the fewer contributions we might get I was going to say something like this. Adding more process does not fix the problem of not having enough people; actually it makes the problem worse. Also I know this sounds contrarian, but I think this whole CVE backporting business is utter madness. What companies should be doing is having the processes and tooling to upgrade their products properly. Backporting CVEs is usually done by someone who has no idea about the code, the resulting patch never gets review or approval from upstream maintainers or even casual comparison with the upstream commit, it's very easy to get things subtly wrong or even intentionally slip backdoors that way. In some cases the upstream code has diverged so far that a realistic backport isn't possible to begin with. The approach to security in this industry is just broken, the way I see it. Alex
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#2236): https://lists.openembedded.org/g/openembedded-architecture/message/2236 Mute This Topic: https://lists.openembedded.org/mt/117650483/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-architecture/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
